Splunk Enterprise

How to extract different formats of files with common regex?

Ashwini008
Communicator

I have below filename where i need to capture only the bold part.But all these files are in the same location.i cannot use single regex that applies to all the below file format.

How do i proceed on capturing the required format?

worldtime.xml.1
ztymp.txt.1
molu.dat.1
jss_pyuroly_7.dat.1
zpiyzygh.rtnugbhti.1
AD.CD.MBOUDN.1
DM.DEVT.IYP.IN.1

zpiyrmlu.rage.600.1.txt.1
in_zpiyrmlu.rage.600.1.txt.1
in_soledt.pou.til.ssn.gpg.1.txt.1

zprunsledSCALLb1.prn.1

Tags (4)
0 Karma

manjunathmeti
Champion

hi @Ashwini008 ,

You can strip file extensions from the file name.

| eval filename=replace(filename, "\.(xml|txt|dat|gpg|prn|1)", "")

 

Sample query:

| makeresults 
| eval _raw="filename
worldtime.xml.1
ztymp.txt.1
molu.dat.1
jss_pyuroly_7.dat.1
zpiyzygh.rtnugbhti.1
AD.CD.MBOUDN.1
DM.DEVT.IYP.IN.1
zpiyrmlu.rage.600.1.txt.1
in_zpiyrmlu.rage.600.1.txt.1
in_soledt.pou.til.ssn.gpg.1.txt.1
zprunsledSCALLb1.prn.1" 
| multikv forceheader=1 
| eval filename=replace(filename, "\.(xml|txt|dat|gpg|prn|1)", "")

 

If this reply helps you, an upvote/like would be appreciated.